ABSTRACT
The Chief Information Officer was just emerging in the 1990s as needed with information technology becoming a larger impact to organizations; however, the Chief Information Security Officer (CISO) role was just emerging and was not a household word during this period. The need to manage the security of information has given rise to a role of the CISO. The CISO may be the first CISO in an organization or may be the fourth or fifth one in the role. The first CISO role was not named until 1995, and the role was not given the high-level visibility except in the largest organizations. CISOs needed to work with compliance departments to define what constituted a breach vs. an event vs. an incident, a debate that goes on whenever a new law has a breach reporting requirement. The shift to a risk-based CISO required that the CISO acquire new skills to evaluate the probability and impact of an adverse event occurring.
